Confirmed Heartbleed victim: Canada Revenue Agency

The Canada Revenue Agency (CRA) has been breached by attackers that leveraged the newly discovered Heartbleed bug in OpenSSL and managed to compromise Social Insurance Numbers of some 900 taxpayers, the agency has confirmed on Monday.

The CRA took its online services offline on April 8, after having been informed of the danger that the vulnerability presented to the security of its systems. They have “worked around the clock with Shared Services Canada to apply a ‘patch'”, and have tested its effectiveness. The services were brought online again on Monday, April 14.

At the same time, they have been informed by the Government of Canada’s lead security agencies that they have suffered a breach that lasted six hours.

“Based on our analysis to date, Social Insurance Numbers (SIN) of approximately 900 taxpayers were removed from CRA systems by someone exploiting the Heartbleed vulnerability,” the agency shared. “We are currently going through the painstaking process of analyzing other fragments of data, some that may relate to businesses, that were also removed.”

“The CRA is one of many organizations that was vulnerable to Heartbleed, despite our robust controls. Thanks to the dedicated support of Shared Services Canada and our security partners, the Agency was able to contain the infiltration before the systems were restored yesterday,” they noted. “Further, analysis to date indicates no other CRA infiltrations have occurred either before or after this breach.”

All taxpayers will be getting a registered letter to inform them of the breach, the agency confirmed, but warned that they will not be calling or emailing affected individuals so as not to give phishers the opportunity to trick them with fake emails and calls.

“The CRA will also provide those who have been affected with access to credit protection services at no cost. And we will apply additional protections to their CRA accounts to prevent any unauthorized activity,” they concluded.

“Hackers were obviously alert to the vulnerability, and quick to exploit it. The Agency has done the right thing by stating it will contact those affected via registered letters only, and that attempts to contact taxpayers via email or telephone will be fraudulent,” commented Keith Bird, UK managing director of Check Point.

“I believe we’ll see more announcements like this over the coming days. So it’s really important that people are cautious about clicking on any links in emails that they receive from organizations claiming that their security has been affected as a result of Heartbleed, no matter how plausible the emails appear to be. There’s a real risk that these are simply phishing emails, aiming to trick users into giving away personal details and passwords.”